forked from docs/doc-exports
zhangyue
e0d0a83c1f
Reviewed-by: Muller, Martin <martin.muller@t-systems.com> Co-authored-by: zhangyue <zhangyue164@huawei.com> Co-committed-by: zhangyue <zhangyue164@huawei.com>
96 lines
11 KiB
HTML
96 lines
11 KiB
HTML
<a name="sfs_02_0103"></a><a name="sfs_02_0103"></a>
|
|
|
|
<h1 class="topictitle1">User Signature Authentication</h1>
|
|
<div id="body0000001338915198"><p id="sfs_02_0103__en-us_topic_0000001263228774_p29043216362">General Purpose File system signs a request using AK/SK. When a client is sending a request to a general purpose file system, the message header must contain the SK, request time, request type, and other information of the signature.</p>
|
|
<ul id="sfs_02_0103__en-us_topic_0000001263228774_ul354274103710"><li id="sfs_02_0103__en-us_topic_0000001263228774_li1254374203710">AK: access key ID, which is a unique identifier associated with a secret access key (SK). The AK and SK are used together to obtain an encrypted signature for a request. Format example: <strong id="sfs_02_0103__en-us_topic_0000001263228774_b0602125118582">HCY8BGCN1YM5ZWYOK1MH</strong></li><li id="sfs_02_0103__en-us_topic_0000001263228774_li1854312443719">SK: secret access key, which is used together with the AK to sign requests, identify a request sender, and prevent the request from being modified. Format example: <strong id="sfs_02_0103__en-us_topic_0000001263228774_b4661163595910">9zYwf1uabSQY0JTnFqbUqG7vcfqYBaTdXde2GUcq</strong></li></ul>
|
|
<p class="msonormal" id="sfs_02_0103__en-us_topic_0000001263228774_p22691253">General Purpose File System provides the signature calculation method based on the application scenario. For details, see <a href="sfs_02_0104.html">Authentication of Signature in a Header</a>.</p>
|
|
<p class="msonormal" id="sfs_02_0103__en-us_topic_0000001263228774_p2894687"><a href="#sfs_02_0103__en-us_topic_0000001263228774_table1151632183812">Table 1</a> shows the user signature verification process in which a signature is carried in a header. For details about the parameters and code examples of authentication of signature in a header, see <a href="sfs_02_0104.html">Authentication of Signature in a Header</a>.</p>
|
|
|
|
<div class="tablenoborder"><a name="sfs_02_0103__en-us_topic_0000001263228774_table1151632183812"></a><a name="en-us_topic_0000001263228774_table1151632183812"></a><table cellpadding="4" cellspacing="0" summary="" id="sfs_02_0103__en-us_topic_0000001263228774_table1151632183812" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Signature calculation and verification procedure of General Purpose File System</caption><thead align="left"><tr id="sfs_02_0103__en-us_topic_0000001263228774_row515218324385"><th align="left" class="cellrowborder" colspan="2" valign="top" id="mcps1.3.5.2.4.1.1"><p id="sfs_02_0103__en-us_topic_0000001263228774_p3152193211383">Procedure</p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.5.2.4.1.2"><p id="sfs_02_0103__en-us_topic_0000001263228774_p81521032133820">Example</p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="sfs_02_0103__en-us_topic_0000001263228774_row6152133216385"><td class="cellrowborder" rowspan="5" valign="top" width="12%" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p5152163218386">Signature calculation</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22%" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p632064774014">1. Construct an HTTP message.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="66%" headers="mcps1.3.5.2.4.1.2 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p14357122794415">PUT /HTTP/1.1</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p16356162764414">Host: filesystem.sfs3.region.example.com</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p1835632744418">Date: Tue, 04 Jun 2019 06:54:59 GMT</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p13356122734416">Content-Type: text/plain</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p4356152744418">Content-Length: 5913</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="sfs_02_0103__en-us_topic_0000001263228774_row1915220322385"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p12829251114013">2. Calculate <strong id="sfs_02_0103__en-us_topic_0000001263228774_b12910173913143">StringToSign</strong> based on the signature rule.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p155065339446">StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + CanonicalizedResource</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="sfs_02_0103__en-us_topic_0000001263228774_row215363216385"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p3893242398">3. Prepare the AK and SK.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p1057319401446">AK: ******</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p13573124015441">SK: ******</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="sfs_02_0103__en-us_topic_0000001263228774_row18153732123817"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p1089024123912">4. Calculate <strong id="sfs_02_0103__en-us_topic_0000001263228774_b5305134913151">Signature</strong>.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p37515457444">Signature = Base64( HMAC-SHA1( <strong id="sfs_02_0103__en-us_topic_0000001263228774_b8751453442">SecretAccessKeyID</strong>, UTF-8-Encoding-Of( <strong id="sfs_02_0103__en-us_topic_0000001263228774_b1943716215219">StringToSign</strong> ) ) )</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="sfs_02_0103__en-us_topic_0000001263228774_row1715383203813"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p389724133911">5. Add a signature header and send the request to SFS.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p1189124113914">PUT /object HTTP/1.1</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p1489172413915">Host: filesystem.sfs3.region.example.com</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p389162414392">Date: Tue, 04 Jun 2019 06:54:59 GMT</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p98922403920">Content-Type: text/plain</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p17891524153918">Content-Length: 5913</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p108992415391">Authorization: OBS <strong id="sfs_02_0103__en-us_topic_0000001263228774_b68942493914">AccessKeyID</strong>:<strong id="sfs_02_0103__en-us_topic_0000001263228774_b78952443920">Signature</strong></p>
|
|
</td>
|
|
</tr>
|
|
<tr id="sfs_02_0103__en-us_topic_0000001263228774_row111532032133817"><td class="cellrowborder" rowspan="5" valign="top" width="12%" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p9153932153815">Signature authentication</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="22%" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p226116397399">6. Receive the HTTP message.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="66%" headers="mcps1.3.5.2.4.1.2 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p9261193953912">PUT / HTTP/1.1</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p112611639103912">Host: filesystem.sfs3.region.example.com</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p72611339133917">Date: Tue, 04 Jun 2019 06:54:59 GMT</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p1261123923915">Content-Type: text/plain</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p6261153983915">Content-Length: 5913</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p122618399391">Authorization: OBS <strong id="sfs_02_0103__en-us_topic_0000001263228774_b8261839163920">AccessKeyID</strong>:<strong id="sfs_02_0103__en-us_topic_0000001263228774_b1826213923920">Signature</strong></p>
|
|
</td>
|
|
</tr>
|
|
<tr id="sfs_02_0103__en-us_topic_0000001263228774_row3153133243810"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p72629399395">7. Obtain the SK based on the AK in the request.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p182621639143916">Obtain the AK from the authorization header and obtain the SK of the user from IAM.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="sfs_02_0103__en-us_topic_0000001263228774_row31531632163818"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p1726212397394">8. Calculate <strong id="sfs_02_0103__en-us_topic_0000001263228774_b36658016285">StringToSign</strong> based on the signature rule.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p82628392394">StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + CanonicalizedResource</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="sfs_02_0103__en-us_topic_0000001263228774_row015318327382"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p16262143983915">9. Calculate <strong id="sfs_02_0103__en-us_topic_0000001263228774_b072528192816">Signature</strong>.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p1926273913398">Signature = Base64( HMAC-SHA1( <strong id="sfs_02_0103__en-us_topic_0000001263228774_b72620397396">SecretAccessKeyID</strong>, UTF-8-Encoding-Of( <strong id="sfs_02_0103__en-us_topic_0000001263228774_b865475915228">StringToSign</strong> ) ) )</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="sfs_02_0103__en-us_topic_0000001263228774_row1915323273819"><td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p926213915391">10. Authenticate the signature.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" headers="mcps1.3.5.2.4.1.1 "><p id="sfs_02_0103__en-us_topic_0000001263228774_p226213398393">Verify that the value of <strong id="sfs_02_0103__en-us_topic_0000001263228774_b76321945102817">Signature</strong> in the authorization header is the same as the value of <strong id="sfs_02_0103__en-us_topic_0000001263228774_b042683122913">Signature</strong> calculated by the server.</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p026213943919">If the two values are the same, the signature verification is successful.</p>
|
|
<p id="sfs_02_0103__en-us_topic_0000001263228774_p0262103915396">If the two values are different, the signature verification fails.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="sfs_02_0102.html">Authentication</a></div>
|
|
</div>
|
|
</div>
|
|
|